This is a port of Linux commit ff821092cf02a70c2bccd2d19269f01e29aa52cf:
| Author: Szymon Heidrich <szymon.heidrich@xxxxxxxxx>
| AuthorDate: Thu Mar 16 11:19:54 2023 +0100
|
| net: usb: smsc95xx: Limit packet length to skb->len
|
| Packet length retrieved from descriptor may be larger than
| the actual socket buffer length. In such case the cloned
| skb passed up the network stack will leak kernel memory
| contents.
|
| Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver")
| Signed-off-by: Szymon Heidrich <szymon.heidrich@xxxxxxxxx>
| Reviewed-by: Jakub Kicinski <kuba@xxxxxxxxxx>
| Link: https://lore.kernel.org/r/20230316101954.75836-1-szymon.heidrich@xxxxxxxxx
| Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
Signed-off-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx>
---
drivers/net/usb/smsc95xx.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
index ab0059fcdb0f..1587128368ad 100644
--- a/drivers/net/usb/smsc95xx.c
+++ b/drivers/net/usb/smsc95xx.c
@@ -767,6 +767,12 @@ static int smsc95xx_rx_fixup(struct usbnet *dev, void *buf, int len)
size = (u16)((header & RX_STS_FL_) >> 16);
align_count = (4 - ((size + NET_IP_ALIGN) % 4)) % 4;
+ if (unlikely(size > len)) {
+ netif_dbg(dev, rx_err, dev->net,
+ "size err header=0x%08x\n", header);
+ return 0;
+ }
+
if (header & RX_STS_ES_) {
netif_dbg(dev, rx_err, dev->net,
"Error header=0x%08x\n", header);
--
2.39.2
